Monday , March 25, 2019

Security Notes: Payments in the Cloud

I have found out that many payments professionals, who claim to use and comprehend the cloud, view it simply as a remote repository of accounts. So this month I have decided to dedicate this column to one purpose: elucidating this remarkable technology as a service to my readers.

Early in my life in Israel, I lived in a “kibbutz.” There were no private cars, but there was a fleet of vehicles ranging from small sedans to large pickup trucks.  Members checked out what they needed at the moment. In this way, we achieved effective mobility at a fraction of the “car parked in every garage” cost. Maintenance was centralized and professional. Also, a personal vehicle is often too small or too big for the current purpose.

These savings and efficiencies can be likened to what cloud technology offers its users.

Suppose you have a grand idea for loyalty payments, so you set up a database to manage it. Your idea catches on, and more and more customers log in. Now you have maxed out your server. Response is getting slow, customers drop off. Not good. If instead you contract a cloud provider to host your data, then expansion is seamless and painless. You pay more, but in proportion to your usage requirements. You can start small, but if you become an overnight success, your database resources expand accordingly.

The idea is that you are excused from the need to pre-estimate your capacity requirements. The cloud provider stays ready to accommodate your overnight growth. This is a big help for any payments startup counting its pennies.

The cloud operates with its client via an interface. The client requests database services and receives them. It is important to understand that this communication between the cloud and its client takes place through a veil. This means that you, as the client, are clueless as to the mode, configuration, and location of your data. This remains the domain of the cloud. It takes your data and organizes it as it sees fit.

When you query your database, or change some entries there, you pass the request to the cloud and the cloud takes care of it—again through a veil. You get proper responses, but you are not privy to the particulars of the data handling. That means you are not responsible for that configuration. It is what the cloud does professionally.

You are also relieved of worries about a breakdown. A professional cloud is built with massive redundancy. If some hardware burns out, or some miswiring takes place, there is enough backup machinery to keep your services running. It is all built into the fee, which is usage-determined.

Payment innovators who understand the fundamental advantage of cloud configurations are signing up in droves. Then, when I tell them that their customers’ data is exposed to any credentialed employee at the cloud company, they are shocked. Alas, that is the price of convenience.

Also, while clouds are highly resistant to hacking and malfunctions, they are not foolproof. The cloud is not the Federal Deposit Insurance Corp. Its responsibility is linked to the data per se, not the money that is reflected in your database.

The big commercial clouds accumulate so much experience and improve so fast that no private alternative can compete. Much as the Internet, as it grew, killed most private networks, so it is with cloud technology.

Even highly secretive government agencies use commercial clouds, but with “before-and-after” encryption. This means the data is encrypted before it is passed to the cloud, and decrypted after it is returned from the cloud. A powerful new technology called homomorphic encryption enables this protection, which denies the cloud access to private data while enabling the cloud’s sorting and selecting capabilities.

Payments are so essential to civil order that it is important to understand how the growing dependency on wireless connectivity makes the cloud a juicy target for hostile agents and places it at risk during natural catastrophes. Serious payments planners ensure continuity by keeping money hosted in phones and other personal devices. Such personally-hosted funds can transact between two battery-operated devices when the Internet is down.

For example, BitMint developed a dedicated money language to accommodate a seamless shift from network-enabled payment to network-disabled payment. For the country that is most advanced in that regard, look at the Peoples Republic of China.

—Gideon Samid •

Check Also

Details on Apple/Goldman Card? And other Digital Transactions News briefs from 3/25/19

Apple Inc. on Monday is expected to make several major announcements, possibly including one regarding …